Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

8
  • It's not the echo that gets executed. its the function definition of x. If the function defined in x does some sneaky underhanded work, there is no way bash can check the return value if function x were real. Notice the function is empty in the test code. An unchecked return value can lead to script injection. Script injection leads to privilege escalation and privilege escalation leads to root access. The patch disables the creation of x as a function Commented Sep 24, 2014 at 20:25
  • 26
    eyoung100, no the echo is getting executed. You can see it's getting executed because the word vulnerable appears in the output. The main problem is that bash is parsing and executing the code after the function definition as well. See the /bin/id part of seclists.org/oss-sec/2014/q3/650 for another example. Commented Sep 25, 2014 at 1:42
  • 4
    Just a quick side comment. Red Hat have advised that the patch that has been released is only a partial patch and leaves systems still at risk. Commented Sep 25, 2014 at 13:49
  • 2
    @eyoung100 the difference is that the code inside the function only executes when the environment variable is explicitly called. The code after the function definition executes every time a new Bash process starts. Commented Sep 26, 2014 at 17:42
  • 1
    See stackoverflow.com/questions/26022248/… for additional details Commented Oct 1, 2014 at 19:24